olcHidden breaks slapcat? possible bug in slapcat(8)?
by Igor Shmukler
Hello,
I use olcHidden and set it to true in some instances.
This seems to work, yet it breaks slapcat(8) as below:
$ sudo slapcat -n 0
5530b282 olcRootPW: value #0: <olcRootPW> can only be set when rootdn
is under suffix
5530b282 config error processing olcDatabase={2}hdb,cn=config:
<olcRootPW> can only be set when rootdn is under suffix
slapcat: bad configuration file!
Is this a bug, or the desired behavior?
Sincerely,
Igor Shmukler
8 years, 5 months
catch size and performance
by Greg Jetter
Hello:
I, running a openldap setup with one provider and 3 consumers , I am seeing intermittent problems of replication not happening "Until" the consumers are re started . This cures the problem.
replication starts up and continues for a while .
The servers have very large amount of memory , 256 gigs ..
I configured the hdb backend 'DB_CONFIG' , to have 4 gigs of catch , could this be causing the replication problem ?
whats the optional size that keeps openldap happy ?
thanks
Greg
8 years, 5 months
Fwd: 2.4.40 memory leak?
by Sergey Esin
Hi all,
We're running OpenLDAP 2.4.40 (the latest available release) with just one
replica server (connected via TLS) and have the following picture -
http://i.imgur.com/om0lMiy.png
On the graph you can see memory consumption of the slapd process on the
host: in the beginngin it started without replica, then replica server was
connected (memory consumption became around 4 Gigs) and then OOM
(out-of-memory) killer on linux machine just killed the process.
There are ~400 000 users in our ldap database.
OpenLDAP was compiled from sources using "./configure --prefix=/ldap2440
--with-tls --enable-slapd".
Are there any ways to understand what's is going wrong and how to fix it?
This server is really important for us, please share any ideas how to make
it stable!
My DB_CONFIG is like below:
set_flags DB_LOG_AUTOREMOVE
set_cachesize 0 524288000 5
set_lg_regionmax 1048576
set_lg_max 10485760
set_lg_bsize 2097512
set_lk_max_locks 23000
set_lk_max_lockers 2300
set_lk_max_objects 2300
--
Regards,
Sergey
8 years, 5 months
Re: olcHidden breaks slapcat? possible bug in slapcat(8)?
by Igor Shmukler
Hello Ulrich,
Not to me, it does not answer the question.
How do I connect olcHIdden set to TRUE throwing an error, and FALSE
does not? Would you mind making the connection for me, please.
Sincerely,
Igor Shmukler
On Fri, Apr 17, 2015 at 9:38 AM, Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
>>>> Igor Shmukler <igor.shmukler(a)gmail.com> schrieb am 17.04.2015 um 09:16 in
> Nachricht
> <CAA1SNA3DMtE+1ZnzCu_NxeX164ZK3aZ-G7o0q-Dx8KXc5QBxDA(a)mail.gmail.com>:
>> Hello,
>>
>> I use olcHidden and set it to true in some instances.
>> This seems to work, yet it breaks slapcat(8) as below:
>> $ sudo slapcat -n 0
>> 5530b282 olcRootPW: value #0: <olcRootPW> can only be set when rootdn
>> is under suffix
>> 5530b282 config error processing olcDatabase={2}hdb,cn=config:
>> <olcRootPW> can only be set when rootdn is under suffix
>> slapcat: bad configuration file!
>
> In a message Igor sent to be before, it showed that he has a oldRootPW set, but no olcRootDN.
> I guess it answered the question, right?
>
>>
>> Is this a bug, or the desired behavior?
>>
>> Sincerely,
>>
>> Igor Shmukler
>
>
>
>
8 years, 5 months
Re: Re: Can domain admins be filtered out with ACLs?
by Igor Shmukler
Hello Ulrich,
I do not doubt that you are right, yet what to understand.
Why would be rootdn necessary to fix ACLs when we have the config
database without RootDN and therefore that one is cannot be messed up
by applying a filter to the RootDN?
Not that I doubt wisdom of the design decisions.
For my goal, I am going to use olcHidden to achieve what I need
instead. If I cannot properly suspend a DIT, I get close to desired
results by hiding the database.
Sincerely,
Igor Shmukler
On Fri, Apr 17, 2015 at 8:15 AM, Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
>>>> Quanah Gibson-Mount <quanah(a)zimbra.com> schrieb am 16.04.2015 um 20:38 in
> Nachricht <C40A1A2544EECEE4E75EA494(a)[192.168.1.9]>:
> [...]
>>>From the slapd.access(5) man page:
>>
>> Be warned: the rootdn can always read and write EVERYTHING!
>
> ...and that is very helpful if you messed up your ACLs...
>
> [...]
>
> Regards,
> Ulrich
>
>
8 years, 5 months
Can domain admins be filtered out with ACLs?
by Igor Shmukler
Hello,
I tried to filter out everyone except cn=config when my ACL filter
rule is true (a NAME type attribute matches a value), so that password
authentication for filtered-out users would fail.
It works for regular users, and does not for admins. Is this because
my ACL rules are wrong, or is this a feature of OpenLDAP? Why no
matter what I do
My LDIF is below:
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
filter=(serviceLevel=suspended)
by dn="cn=config" write
by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange
filter=(!(serviceLevel=suspended))
by self write
by anonymous auth
by dn="cn=admin,dc=directory,dc=com" write
by dn="cn=config" write
by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to *
filter=(serviceLevel=suspended)
by dn="cn=config" write
by * none
olcAccess: {4}to *
filter=(!(serviceLevel=suspended))
by self write
by dn="cn=admin,dc=directory,dc=com" write
by dn="cn=config" write
by * read
Is there something special about LDAP administrator, by design?
Thank you,
Igor Shmukler
8 years, 5 months
Re: integrate Openldap and Windows Active Directory server 2003
by Clément OUDOT
2015-04-15 17:48 GMT+02:00 Kaushal Shriyan <kaushalshriyan(a)gmail.com>:
> Hi Clement,
>
> LSC, We proposed a synchronisation mechanism but was rejected since gives a
> lot of privileges to the OpenLDAP to change customer data in AD. the
> customer don't want it. Is there a way to get over with this specific use
> case?
>
You just need a read-only AD account if you need to sync from AD to OpenLDAP.
Clément.
8 years, 5 months
multiples syncrepl from same host and DB
by julien soula
hello,
I wanted to synchronize 2 branches of a master DB (slapd-2.4.38). So I
created 2 olcSyncrepl on the slave :
olcSyncrepl: {0}rid=201 provider=ldap://master searchbase="cn=branch1,suffixDB" scope=sub
olcSyncrepl: {1}rid=202 provider=ldap://master searchbase="cn=branch2,suffixDB" scope=sub
Unfortunatly, it doesn't work. A change on branch2 on the master
produces often a "CSN too old" on the slave.
After investigating, it seems that the pb comes from the fact there is
one contextCSN by DB. So if the sync task on branch1 is the first to
process, it updates the contextCSN and therefore the sync task on
branch2 thinks that change is not newer. Am I right ?
So is there a proper way to achieve what I want ?
Thank for any hints,
--
Julien
<< Vous n'avez rien a dire... Parlons-en! >>
8 years, 5 months
Re: Antw: multiples syncrepl from same host and DB
by julien soula
On Wed, Apr 15, 2015 at 02:40:37PM +0200, Ulrich Windl wrote:
> >>> julien soula <jsoula(a)univ-lille2.fr> schrieb am 15.04.2015 um 13:29 in
> Nachricht <20150415112905.GB3225(a)nickel.univ-lille2.fr>:
> > hello,
> >
> > I wanted to synchronize 2 branches of a master DB (slapd-2.4.38). So I
> > created 2 olcSyncrepl on the slave :
> >
> > olcSyncrepl: {0}rid=201 provider=ldap://master
> > searchbase="cn=branch1,suffixDB" scope=sub
> > olcSyncrepl: {1}rid=202 provider=ldap://master
> > searchbase="cn=branch2,suffixDB" scope=sub
> >
> > Unfortunatly, it doesn't work. A change on branch2 on the master
> > produces often a "CSN too old" on the slave.
> >
> > After investigating, it seems that the pb comes from the fact there is
> > one contextCSN by DB. So if the sync task on branch1 is the first to
> > process, it updates the contextCSN and therefore the sync task on
> > branch2 thinks that change is not newer. Am I right ?
>
> If the message you are talking about is like this:
> slapd[3965]: do_syncrep2: rid=001 CSN too old, ignoring 20150409131449.846699Z#000000#001#000000 (olcDatabase={1}hdb,cn=config)
yes
> _and_ the CSN received is the CSN sent,...
yes
> ... then just ignore the message. That is the same server said before:
> slapd[3965]: slap_queue_csn: queing 0x7f5f30afcf20 20150409131449.846699Z#000000#001#000000
>
> >
> > So is there a proper way to achieve what I want ?
>
> Did you check the databases before and after sync? Are there differences, or are you just worried about the messages?
In fact, I first noticed the no-change of the slave then I took a look
to the log and saw this message (the only suspect I saw).
Is this config supposed to work ?
sincerly,
--
Julien
<< Vous n'avez rien a dire... Parlons-en! >>
8 years, 5 months